27 Apr Phishing: Don’t Get Hooked!

It’s easy to let your mind wander as winter turns to spring and the sun extends that perfect invitation to get out of the office and forget about life for a while. And then you glance back at your computer screen.

“Gone phishing.”

Your spam folder is filled with get rich quick schemes, that lottery prize you forgot to claim, and dozens of offers for free “stuff.” The messages that make it to your inbox are a little more subtle. According to Fraudwatch International, these are the “most popular” phishing subject lines.

According to the 2018 HIMSS Cybersecurity Survey, nearly 62% of respondents stated that email phishing was the initial point of compromise for their most recent significant security incident.* Verizon’s 2018 Data Breach Investigations Report named financial pretexting and phishing as the sources of 93% of all breaches they investigated. In fact, the data illustrates that organizations are about three times more likely to be breached through social attacks like phishing than by malicious actors exploiting software or firmware vulnerabilities.

Which really isn’t all that surprising.

Humans are the easiest vulnerability to exploit in any network. With a large enough campaign, it is almost statistically guaranteed that someone within the organization will open something they don’t realize is harmful.

Although spam filters may catch some phishing emails before they land in a user’s inbox, filters will never be 100% effective at detection, especially when malicious actors step up their game. Increasingly, organizations are being hit with spear phishing campaigns—attacks that target specific individuals and often employ insider information, clever deceptions, and impersonations. Sophisticated actors can send seemingly typical messages from compromised accounts, disguise their sender addresses, or set up false credential-stealing websites that mimic the look and feel of trusted web applications. They can build rapport with employees through email exchanges before enticing an individual to click the wrong link or open that malware-infested attachment.

All it takes is a single end user to click or open a file. Then boom, another headline decrying a data breach at a hospital or a ransomware attack that has rendered critical patient data inaccessible.

While we can never eliminate the dangers of phishing, there are critical steps that organizations can take to mitigate the risk. Consider the following suggestions:

Communicate the Need

Communication, communication—we can’t stress it enough. Healthcare systems are busy places, and non-IT staff may not understand the importance of good cybersecurity hygiene or why certain protocols have been put in place. It becomes critical for managers to convey the scope of risk and why it matters in terms that non-technical staff can appreciate. Security isn’t solely the purview of IT; in this age, it is a responsibility belonging to every member of an organization.

Train Your Employees

A 2015 report by PhishMe, that conducted 8 million phishing simulations across 23 industries, showed that the average rate of response to phishing simulations fell from 20% to 13% after three simulation exercises and continued to fall with additional training. The bottom line—education works. Invest in training exercises, especially hands-on trials. Test your employees by sending them simulated emails rather than (or in addition to) making them sit through a yearly presentation. Alert them when new campaigns have been identified in the network and show them what to watch out for with examples from the wild.

Create a Response Plan

Your employees may know how to identify something fishy, but do they know what to do next? Your security training should include clear steps employees should take when encountering suspicious communications. Consider the following suggestions:

Verify the sender’s identity. If a request seems out of the ordinary or involves a sensitive subject, the employee should forward a response to the trusted email instead of clicking “Reply” (in case the sender address has been disguised), or should call the sender on the phone to verify that the account has not been compromised.

See something, say something. Encourage employees to report out-of-the-ordinary messages to the security team, and clearly identify whom employees should contact if they have a question. Even if an employee isn’t fooled by a suspicious email, they should still report it; after all, the security team will want to be ready in case anyone else received the email, clicked something potentially malicious, and neglected to report it.

If you clicked something, it’s OK. Phishing can be sophisticated, and everyone makes mistakes—if an employee clicked something, they should contact the security team immediately. Impress upon your employees that they won’t be reprimanded for making a mistake and that their honesty is very much appreciated in helping the organization guard against threats. Even if a link did not seem to do anything, it is worth reporting—not all malware makes noise.

Conduct Risk Assessments and Secure IoT Devices

Malicious actors use phishing for a variety of purposes, including obtaining access to the network for spreading malware or extracting sensitive data. Conducting periodic security risk assessments will help mitigate potential damage to your systems and the amount of data that can be easily stolen.

According to the HIMSS report, most healthcare organizations are conducting security risk assessments at least once a year; however, of those that do conduct assessments, only 34.3% of respondents stated that their assessments explicitly include medical devices. As the number of medical devices on the network increases, conducting regular assessments of Internet of Things devices grows in importance—after all, IoT medical devices have been notoriously vulnerable, and a recent investigation by Trend Micro and HITRUST found that many IoT hospital devices containing sensitive data were publicly exposed on the internet. The recent revelation of the attack group Orangeworm, who have been targeting devices in healthcare systems and the medical supply chain with backdoor malware, underscores the issue.

So what can be done? Start by scanning your network for IoT devices that might be publicly visible when they shouldn’t be. Review your IoT security policies and network configurations. Update device firmware when updates are released. Regular security screenings of IoT devices will help protect the data and services of these systems if a malicious actor compromises the network.

Review Mobile Security

According to a report by mobile security company Lookup, phishing attacks targeting mobile users are on the rise, and mobile users are significantly more inclined to fall for malicious links (via email, SMS, and social media messaging platforms) than desktop users. With so many portable devices on a network, how can an organization most effectively guard against threats—especially if employees are using their personal devices on the job?

For one, you should review and update your corporate mobile device policy (or draft one if you don’t have one!). Ensure that mobile phishing techniques are included in your data security training. Assess the effectiveness of your Mobile Device Management (MDM) solution, or consider adopting one if you don’t use one already. If you currently have an MDM solution but aren’t satisfied with its security capabilities, perhaps it’s time to shop around for a new provider or seek solutions you can layer on top of your MDM, such a Mobile Content Management (MCM) solution that centralizes file storage and streamlines data sharing from the cloud.

Phishing is a perennial headache and real danger (we could say a “reel” danger, but we’ve already taken these puns too far). The lesson? So long as you keep on top of employee education and regular security assessments, you’ll be in much better shape to keep your organization’s data safe and sound.

*According to the HIMSS report, “Every organization has its own definition of what constitutes a ‘security incident’ and a ‘significant security incident.’ Such incidents may range from sophisticated, advanced persistent threat (‘APT’) attacks to negligent insider activity.”